The Web Security Mailing List

Microsoft has been working on a tool called 'Nozzle' to prevent the exploitation of heap spraying attacks and released a whitepaper describing the process. From the whitepaper.

"Heap spraying is a new security attack that significantly increasesthe exploitability of existing memory corruption errors in type-unsafeapplications. With heap spraying, attackers leverage their ability toallocate arbitrary objects in the heap of a type-safe language, such asJavaScript, literally filling the heap with objects that contain dangerousexploit code. In recent years, spraying has been used in many realsecurity exploits, especially in web browsers. In this paper, we describeNozzle, a runtime monitoring infrastructure that detects attemptsby attackers to spray the heap. Nozzle uses lightweight emulationtechniques to detect the presence of objects that contain executablecode. To reduce false positives, we developed a notion of global “heaphealth”.

We measure the effectiveness of Nozzle by demonstrating thatit successfully detects 12 published and 2,000 synthetically generatedheap-spraying exploits. We also show that even with a detectionthreshold set six times lower than is required to detect published maliciousattacks, Nozzle reports no false positives when run over 150popular Internet sites. Using sampling and concurrent scanning to reduceoverhead, we show that the performance overhead of Nozzle isless than 7% on average. While Nozzle currently targets heap-basedspraying attacks, its techniques can be applied to a more general classof attacks in which an attacker attempts to fill the address space withdangerous code objects."

Good to see MS publishing this sort of research. DDJ has also published an extensive article describing the tool and heap spraying.